On November 18, Electronic Frontier Foundation (EFF) announced a new certificate authority (CA) was put together with the help of Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan that aims to clear the remaining roadblocks to transition the Web from HTTP to HTTPS called Let’s Encrypt.
Although the HTTP protocol has been hugely successful, it is inherently insecure. Whenever you use an HTTP website, you are always vulnerable to problems, including account hijacking and identity theft; surveillance and tracking by governments, companies, and both in concert; injection of malicious scripts into pages; and censorship that targets specific keywords or specific pages on sites. The HTTPS protocol, though it is not yet flawless, is a vast improvement on all of these fronts, and we need to move to a future where every website is HTTPS by default.With a launch scheduled for summer 2015, the Let’s Encrypt CA will automatically issue and manage free certificates for any website that needs them. Switching a web server from HTTP to HTTPS with this CA will be as easy as issuing one command, or clicking one button. -EFF
Obstacles to Let’s Encrypt
The three biggest obstacle to HTTPS deployment is the complexity, bureaucracy, and the cost of certificates that HTTPS requires. Misconfigured certificates often cause warnings and error messages indicating that HTTPS is dependent on a complex and often structurally dysfunctional bureaucracy for authentication. That’s where Let’s Encrypt comes in because it will eliminate, if not all, most erroneous certificate warnings. Also, the need to obtain, install, and manage certificate from that bureaucracy is the reason that sites use HTTP rather than HTTPS. According to the tests conducted by EFF, it takes 1 – 3 hours to enable encryption for the first time. However, with Let’s Encrypt, it can decrease that to 10 – 30 seconds only. You can watch a video of how it works here.
Let’s Encrypt will use a few new technologies to manage secure automated verification of domains and issuance of certificates. EFF is developing a protocol that Let’s Encrypt will use called ACME between web servers and the CA, which includes support for new and better forms of domain validation. EFF will also imply Internet-wide data sets of certificates such as their own Decentralized SSL Observatory, University of Michigan’s scans.io, and Google’s Certificate Transparency logs to make higher-security decisions when a certificate is safe to issue. A non-profit organization named Internet Security Research Group (ISRG) will be managing Let’s Encrypt. If you want to try and test it, you can test it here.